goharbor/harbor

OIDC: Considering add HS256 signature algorithm support?

Open

#21392 opened on Jan 8, 2025

View on GitHub
 (1 comment) (1 reaction) (1 assignee)Go (28,490 stars) (5,235 forks)batch import
area/oidchelp wantedkind/requirement

Description

There are lots of private OIDC providers still using HS256 signature algorithm (such as company I'm working for).

Whether to consider add support for HS256 signature algorithm?

Related harbor-core logs:

[ERROR] [/lib/http/error.go:57]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"oidc: malformed jwt: go-jose/go-jose: unexpected signature algorithm \"HS256\"; expected [\"RS256\"]"}]}
/harbor/src/lib/http/error.go:85, github.com/goharbor/harbor/src/lib/http.apiError
/harbor/src/lib/http/error.go:54, github.com/goharbor/harbor/src/lib/http.SendError
/harbor/src/common/api/base.go:74, github.com/goharbor/harbor/src/common/api.(*BaseAPI).RenderError
/harbor/src/common/api/base.go:232, github.com/goharbor/harbor/src/common/api.(*BaseAPI).SendInternalServerError
/harbor/src/core/controllers/oidc.go:125, github.com/goharbor/harbor/src/core/controllers.(*OIDCController).Callback
/usr/local/go/src/reflect/value.go:581, reflect.Value.call
/usr/local/go/src/reflect/value.go:365, reflect.Value.Call
/go/pkg/mod/github.com/beego/beego/v2@v2.2.1/server/web/router.go:1234, github.com/beego/beego/v2/server/web.(*ControllerRegister).serveHttp
/go/pkg/mod/github.com/beego/beego/v2@v2.2.1/server/web/filter.go:83, github.com/beego/beego/v2/server/web.(*FilterRouter).filter
/go/pkg/mod/github.com/beego/beego/v2@v2.2.1/server/web/router.go:1003, github.com/beego/beego/v2/server/web.(*ControllerRegister).ServeHTTP
/harbor/src/server/middleware/middleware.go:52, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.MiddlewareWithConfig.New.func22.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/security/security.go:75, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.UnauthorizedMiddleware.func10
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.UnauthorizedMiddleware.New.func19.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/security/security.go:62, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func9
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func18.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/artifactinfo/artifact_info.go:62, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func8.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/middleware.go:52, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func17.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/notification/notification.go:31, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func6
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func16.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/orm/orm.go:54, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.MiddlewareWithConfig.func15
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.MiddlewareWithConfig.New.func21.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/csrf/csrf.go:62, github.com/goharbor/harbor/src/server/middleware/csrf.Middleware.func2.attach.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/gorilla/csrf@v1.7.2/csrf.go:306, github.com/gorilla/csrf.(*csrf).ServeHTTP
/harbor/src/server/middleware/csrf/csrf.go:82, github.com/goharbor/harbor/src/server/middleware/csrf.Middleware.func2
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/server/middleware/csrf.Middleware.New.func3.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/session/session.go:35, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func5.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/log/log.go:43, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func4
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func14.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/requestid/requestid.go:46, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func3
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func13.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/metric/metric.go:74, github.com/goharbor/harbor/src/server/middleware/metric.transparentHandler.func1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/trace/trace.go:28, github.com/goharbor/harbor/src/server/middleware/trace.traceHandler.func1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/mergeslash/mergeslash.go:31, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func2
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func12.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/url/parse.go:36, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func1

Contributor guide

Tech stack
go
Domain
securityauthentication
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Understanding of OIDC and JWTFamiliarity with GoKnowledge of Harbor OIDC flow
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
45
Research direction
The issue requests support for the HS256 signature algorithm in OIDC JWT validation. The error log indicates that the current implementation in Harbor expects RS256 only. The relevant code is likely in the OIDC authentication module, possibly in files under 'src/core/oidc' or similar. The user reports that many private OIDC providers use HS256, which requires a shared secret instead of a public key. The solution involves modifying the JWT parsing logic to accept HS256, which may require adding configuration for a client secret or symmetric key. The assignee has been set, suggesting active work. Look at the existing OIDC implementation to understand the expected signature algorithm and how to extend it. Check if there are any discussions in the comments that provide additional context.